Quick Commands

# edit + deploy
git status
git add -A
git commit -m "docs: update"
git push

# rebuild static blog output (local)
cd site
npm ci --no-audit --no-fund
npm run build

# VPS: pull only
# (on server)
git pull --ff-only

letsencyrpt dns01_hostpoint_wildcard

ACME DNS‑01 (Hostpoint) for wildcard `*.test.privsec.ch` (from chat dump)

Scope: wildcard issuance via DNS‑01 with Hostpoint (manual), Docker/Compose commands, and wiring into NGINX — strictly from your chat dump.

Goals

Obtain a wildcard cert for *.test.privsec.ch using DNS‑01 (Let’s Encrypt requires DNS‑01 for wildcards). fileciteturn4file1L34-L41
Document Hostpoint record format (what to type into “Name”), TTL, and propagation checks. fileciteturn4file10L1-L7 fileciteturn4file10L10-L14
Provide Docker and Compose commands for certbot certonly --manual. fileciteturn4file4L38-L43 fileciteturn4file5L13-L21

Why DNS‑01 (not HTTP‑01) for wildcards

HTTP‑01 validates a single host via a file under /.well-known/acme-challenge/ (not suitable for *.). DNS‑01 proves control of the zone via a TXT record → supports wildcards. fileciteturn4file0L2-L6

Hostpoint: exact TXT record format

In Hostpoint’s Name field enter **_acme-challenge.test** (Hostpoint appends .privsec.ch automatically). fileciteturn4file10L1-L7
TTL: set to 300s; Propagation: allow 15–30 min to be visible globally. fileciteturn4file10L10-L14
The value is the random token shown by Certbot. fileciteturn4file10L25-L27

Certbot commands (manual DNS‑01)

Docker (one‑shot)

docker run -it --rm   -v $PWD/letsencrypt:/etc/letsencrypt   certbot/certbot certonly --manual --preferred-challenges dns   -d "*.test.privsec.ch" -d "test.privsec.ch"

fileciteturn4file6L49-L56

docker‑compose (manual)

version: '3'
services:
  certbot:
    image: certbot/certbot
    container_name: certbot
    volumes:
      - ./letsencrypt:/etc/letsencrypt
      - ./varlibletsencrypt:/var/lib/letsencrypt
    command: certonly --manual --preferred-challenges dns              -d "*.test.privsec.ch" -d "test.privsec.ch"

fileciteturn4file7L1-L11

Important quoting: always quote the * in -d "*.test.privsec.ch" (or escape it) so the shell doesn’t expand it. Also use the **certonly** subcommand. fileciteturn4file3L14-L21 fileciteturn4file6L31-L35 fileciteturn4file14L1-L5

Interactive flow (manual)

Run the Certbot command above; it will prompt for a TXT record like:
_acme-challenge.test.privsec.ch TXT AbCdEf123456… fileciteturn4file6L53-L56
In Hostpoint, create: Type: TXT, Name: **_acme-challenge.test**, Value: token, TTL: 300. fileciteturn4file10L16-L27
Wait a few minutes; then verify with:
dig TXT _acme-challenge.test.privsec.ch @1.1.1.1 +short or
nslookup -type=TXT _acme-challenge.test.privsec.ch 8.8.8.8 fileciteturn4file10L31-L36
Press Enter in Certbot; the certificate is written under ./letsencrypt/live/test.privsec.ch/. fileciteturn4file5L26-L27

Wiring certificates into NGINX

Mount the letsencrypt directory and reference fullchain.pem/privkey.pem in your vhost:

ssl_certificate     /etc/letsencrypt/live/test.privsec.ch/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.privsec.ch/privkey.pem;

fileciteturn4file5L66-L70

Version notes & common pitfalls

Use a Certbot version that supports DNS‑01 wildcards; ensure you run certonly and quote the wildcard. fileciteturn4file6L24-L26 fileciteturn4file14L1-L14
If no Hostpoint API: manual renewal ~every 90 days (repeat the TXT step). fileciteturn4file4L21-L24

Quick verification commands

# Check TXT
dig TXT _acme-challenge.test.privsec.ch @1.1.1.1 +short
nslookup -type=TXT _acme-challenge.test.privsec.ch 8.8.8.8

# After issuance: reload nginx
docker exec -it nginx nginx -s reload

fileciteturn4file10L31-L36 fileciteturn4file5L70-L73

Runbook / Checklist

[ ] Run Certbot (manual DNS‑01) with quoted wildcard. fileciteturn4file3L16-L20
[ ] Create TXT in Hostpoint: Name _acme-challenge.test, TTL 300, paste token. fileciteturn4file10L16-L27
[ ] Wait & verify via dig/nslookup, then continue. fileciteturn4file12L11-L20
[ ] Mount and reference the certificate in NGINX; reload. fileciteturn4file5L66-L73
[ ] Set a reminder to renew in ~90 days (manual). fileciteturn4file4L21-L24